Wednesday, April 13, 2011

TCHunt is a data forensic tool to find encrypted TrueCrypt volumes that are hidden or disguised as other files. The software was written to demonstrate that while encrypted volumes may be indistinguishable from random data, volumes themselves can be easily distinguished from most other files on your system.

People believe that they can hide files by simply changing the file extension and disguising it as another file. The truth, is you cannot. Each file type has a well defined header – a pattern of ones and zeroes - from which it can be easily identified whether it is a video file or audio file or a document or a TrueCrypt volume. You cannot even claim the file is corrupted because data corruption is random and statistically can never resemble AES encrypted data, which is the encryption algorithm used by TrueCrypt.

TCHunt tries to identify hidden TrueCrypt volumes by looking at the following file attributes:

The reporting window will list volumes as they are found. Among those listed, there might be false positives. TCHunt takes a very conservative approach when looking for TrueCrypt volumes because the developer believes that it better to have a few false positives than false negatives as false positives can be easily dismissed if they are indeed false. Besides, according to the developer, many false positives usually turn out to be other forms of encrypted data, or in the worst case, files that contain random data.

TCHunt, however, cannot brute-force or break the TrueCrypt volumes, so you are safe on that ground.

TCHunt is available in several languages and runs on all Windows versions newer than Windows XP.